Securing Enterprise Networks Using Traffic Tainting

Enterprise networks are vulnerable to attacks ranging from data leaks to the spread of malware to insider threats. Previous defenses have largely focused on securing hosts; unfortunately, when hosts are compromised, these defenses become ineffective. Rather than attempting to harden the host against every possible attack (which is impractical) or constraining the software that can run on a host (which is inconvenient), we place a small amount of trusted code on the host to assist with tracking the provenance of network traf- fic, moving the rest of the trust and function to the network. We present Pedigree, a system that tracks information flow across pro- cesses and hosts within a network by annotating traffic with taints that reflect the process that generated the traffic and the inputs that process has taken (we call this function traffic tainting). A tagger on the host annotates network traffic with information about the "taints" that the sending process has acquired. Network devices act as arbiters to take appropriate actions (e.g., blocking) based on the taints associated with the traffic and the enterprise network's secu- rity policy. We have implemented Pedigree's host-based tagger as a Linux kernel module and the arbiter using the OpenFlow platform. This demonstration presents a prototype deployment of Pedigree that identifies and prevents both sensitive data leaks and the spread of malware in a typical enterprise network setting. The demon- stration will show that Pedigree can defend against these attacks without significant overhead at the host or the filtering device.